0

based on this topic seems like I found the issue but I really don't know how to solve it.

I have the following configuration for the WebSecurityConfigurerAdapter because I am working with JWT security flow like in this page The problem is on the configuration side and not the built itself.

The configuration is like this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests().antMatchers("/login").permitAll()
            .antMatchers("/register/**").permitAll()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated();
    http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}

Unfortunately it doesn't let me access the homepage. If I do .antMatchers("/**").permitAll() It will work fine. When I access http://localhost:8080 I get:

2021-04-26 23:09:42.517 ERROR 10160 --- [nio-8080-exec-4] c.a.d.security.jwt.AuthEntryPointJwt     : Unauthorized error: Full authentication is required to access this resource

This comes out form the unauthorizedHandler but in the configuration the .antMatchers("/").permitAll() is supposed to let me access the index but not.

If I go for example with .antMatchers("/**").permitAll() It let me acess the page, but overall It will break the security flow.

Dragos Roban
  • 479
  • 2
  • 11
  • 20

2 Answers2

0

Have you tried following, this works for me, I am able to access homepage through this configuration.

http.authorizeRequests().mvcMatchers("/").permitAll()

and one more thing don't use ant matchers, it is not as safe and custumizable as mvcMatcher

mss
  • 1,423
  • 2
  • 9
  • 18
  • the problem was more deep than that. Just got it out. It didn't manage to access the UI resources. like .js .css files and so on. What a mess :D – Dragos Roban Apr 26 '21 at 20:46
  • 1
    @DragosRoban Nice:) glad you solved the problem:) – mss Apr 26 '21 at 20:46
0

I assume you wish to return a page instead of a simple JSON response on the URI GET /.

The configuration .antMatchers("/").permitAll() gives the public access to the exact resource /, but it does not allow you to anonymously download other resources such as /global.css, /foo.js etc.

Change it to .antMatchers("/*").permitAll() and this gives you public access to all resources under the / path.

justthink
  • 439
  • 3
  • 6